Skip to Content

Cybersecurity & Standards, Government Surveillance

The Beginning of the End of Passwords

UF2Repeat after me, loudly: Death to passwords! Death to passwords!

Really, it’s about time. With the help of new standards from the FIDO Alliance and the support of companies like Google, the new Security Key (left) may change how you login forever.

Passwords are the “keys to the castle” for important parts of our lives online; from financial accounts to health records to communications tools we use everyday like email, chat, Facebook and, Twitter.

For something so important, passwords have long been a poor fit: they are frequently stolen in massive quantities, written down on post-it notes attached to the computers they’re supposed to protect (please don’t do that!), and people choose passwords that are way, way too simple (e.g., “password”).

Password management strategies have had a hard time keeping up. We use password managers – software for generating, storing, and entering passwords – at CDT, but I still have about 900 passwords with a complicated mesh of rules that dictate what they should look like for each service and how often I have to change them. Moreover, I have to be very careful how I protect this collection of keys to my kingdom; losing control of my password manager means all my accounts online could be compromised.

Thankfully, more and more services online are using two-step login. You may be familiar with two-step through the authentication codes your bank sends you via text message when you are logging in from a new device. The strongest login methods require “something you know” – like a password – as well as “something you have” – like your phone. But to get a code texted to you on your phone you have to have a phone, you have to have a network connection, and your phone has to be with you and have battery power. That’s not ideal.

The new U2F promises to make two-step login easier and more convenient.

The new U2F – “Universal Two-Factor” – available on Amazon for $18 and for which Google is announcing support today across its services, promises to make two-step login easier and more convenient. You simply type your password and then when prompted insert the key into your USB port and touch the glowing blue key. Voila, you’re in! USF also works wirelessly on some newer smartphone models.

It’s dead simple, and it takes a lot of the weight off of our increasingly creaky and unstable password-based infrastructure online. Bad guys that want to hijack your online accounts won’t be able to do so by just guessing your password or stealing it. The U2F key is based on an open standard – the U2F standard from the FIDO alliance – so any service or software can start to use it today.

Of course, nothing’s perfect as I was reminded recently: I had left my keys upstairs when prompted to login to Google Docs. No worries, my phone was right next to me and I still had the option of using a text message code. I guess tech can’t fix lazy.